Hi guys,
I've got a script uploading html files into Splunk. This uses IOC to check which hosts are infected and by what malware. What the malware changes and so on. I have one particular file which has the name of the Malware, the hash, a description and even the files changed. Added with the IP address of the host, it has everything.
My question is though, how do I tell splunk where to find the name of the malware and where the hash is. Bearing in mind that the name location will stay the same but the name will differ depending on the malware found.
I need this so as to have counters and timecharts of which host is infected by what.
Sample File:
xmlns:ioc="http://schemas.mandiant.com/2010/ioc" id="openioc">
<div id="openioc-head">
<div id="openioc-logo"></div>
<div id="openioc-title">
<h1>
ZeroAccess/Siref.P</h1>
<h4>0d0a744b-f7bf-453d-9105-5662bc27086e</h4>
</div>
</div>
<div id="openioc-main">
Show all 115 lines
host=192.168.89.137
I need to tell Splunk that in indexes with xmlns:ioc have the malware title in h1 and the hash in h4
Thanks for your help
Try
(?i)<h1>(?P<dd>[^<]+)
and
(?i)<h4>(?P<dd>[^<]+)
Where "dd" is going to be what you want to call the field extraction. Use FIELDNAME if you are using the interactive field extractor. Then name it when you save.
Try
(?i)<h1>(?P<dd>[^<]+)
and
(?i)<h4>(?P<dd>[^<]+)
Where "dd" is going to be what you want to call the field extraction. Use FIELDNAME if you are using the interactive field extractor. Then name it when you save.
regex is painful for me as well. Try the interactive field extractor or the | erex command. Much easier.
Thanks that was perfect, I'm still trying to get around regex 😛
Thanks for the help, I'm away for the week so I'll try it when I get back.